ORBTR and GDPR — An FAQ

GDPR (The General Data Protection Regulation) takes effect on May 25, 2018 and implements a standard across Europe for personal data security and protection. ORBTR takes data protection extremely seriously and we know that our customers do as well.

Q: My business is an ORBTR customer and we are based in the United States — does this regulation apply to my firm?

One of the most unique things about GDPR is that it’s designed to protect Europe’s citizens, NOT it’s geography. So no matter where your business is located, GDPR is still applicable if you control or process any personal data about European residents/citizens. So the answer for many companies, regardless of location, is YES. Violations can be €10,000,000 (nearly $12MM) or more.

Q: What is ORBTR doing to comply with GDPR?

We have made a number of important changes, including:

Updated our Terms of Service, effective immediately for all customers and users of any ORBTR products

Created an updated, simple, and streamlined opt-out process for any individuals who do not wish to be tracked by ORBTR software

Identified and audited all third-party vendors and services that have access to the personal data of ORBTR customers

Identified and audited all third-party vendors and services that have access to the personal data of individuals being tracked by the ORBTR software

Audited data storage, security, and retention policies

We have notified all ORBTR customers to remind them about the importance of GDPR compliance and the changes required to their websites

Q: If my business uses ORBTR, do I need to do anything to my site to comply with GDPR?

While we can not tell you everything your business might need to do to comply with GDPR, we are requiring all ORBTR customers to add the following text to their online privacy policy as per our updated Terms of Service:

As you use this website, cookies will be placed on your device by our software partner, ORBTR, so that we can better understand what you are interested in on our website. This software serves the legitimate interest of helping us personalize content and better serve you as a customer. ORBTR software monitors your activity on this website (ORBTR cookies do not track your movements beyond this site) completely anonymously until such time as you voluntarily supply our company with personal information such as your name, email address, postal address, or telephone number. Methods of providing contact information may include filling out a form, making a purchase on this website, commenting on our blog, or participating in our email marketing. This information is for our company’s use only, it not used by ORBTR or their partner companies in any way except to serve our account. ORBTR will not sell/share/rent your information to any other ORBTR customers/clients, nor will they sell/share/rent your information to any third party. If you wish to opt-out of this tracking, please visit http://orbtr.net/opt-out.

Q: Is ORBTR a processor or controller under the GDPR regulations and what legal basis is used for processing?

A controller, per GDPR article 4, is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” and a processor is“a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” ORBTR acts as both.

There are 6 legal bases for processing data under the GDPR (source, ICO):

Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

Vital interests: the processing is necessary to protect someone’s life.

Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

ORBTR (which does not directly enable direct marketing or email marketing but rather integrates with other tools which perform those tasks) provides the ability for businesses to personalize content and serve customers more effectively based on their needs and preferences, both legitimate business interests — and ORBTR’s storage of personal data is related to these functions. Combining ORBTR data with other tools to facilitate functions like email or SMS marketing would require explicit consent.

Q: Who does ORBTR share personal data with?

ORBTR never shares data between ORBTR customers, personal data is only shared with the administrators of the customer website where the data was collected. Outside of the customer relationship, the only entities with access to personal data on ORBTR’s servers are trusted third party partner companies charged with helping ORBTR manage and secure that data. ORBTR never shares/sells/rents personal data to outside organizations.

Q: If I have more questions about ORBTR and GDPR, how can I get answers?